March Security Bulletin Issued Without Excel Fix

Microsoft is rolling out three security fixes today in its March patch release, with one item described as "critical" and two items labeled "important."

Two of the three fixes tackle spoofing issues, while the lone critical item addresses remote code execution (RCE) exploits. The fixes all pertain to Windows operating systems.

Some security experts are left wondering why a recently unearthed Excel flaw, announced on Feb. 24, wasn't patched in this rollout. Microsoft said it was aware of only "limited and targeted attacks" at the time. Even though there's no fix available, John Moyer, chief executive of BeyondTrust, issued a caveat to IT pros.

"While Excel is used extensively in normal times, its use is now particularly high due to tax season," Moyer said. "Organizations should pay close attention to the unpatched critical Excel vulnerability in the wild -- one that attackers are exploiting and that Microsoft does not offer a fix for in this round of Patch Tuesday updates."

The critical fix in the March security bulletin deals with flaws inherent in the Windows kernel found in Windows 2000, XP and Vista, along with Windows Server 2003 and 2008. It addresses vulnerabilities that can be exploited when opening certain graphics files. The problem stems from the way that the operating system parses and displays Windows Metafile- and Eclipse Modeling Framework-formatted image files. Corrupt image files can trigger this flaw in the Windows kernel.

"All that the attacker needs to do is encourage a victim to view a specially formatted image and the attacker can run code on the victim's system," explained Eric Schultze, chief technology officer at Shavlik Technologies. "The evil code will execute with system privileges -- even if the user wasn't logged on as an administrator. With system privileges, the evil code can access, copy, or delete any files on the system, create or delete user accounts, change passwords, or install backdoors."

Next in the March lineup are two important fixes for spoofing vulnerabilities. Spoofing is security-compromising trick in which hackers use disguised Internet Protocol addresses to impersonate a sender or another computer.

The first important fix covers Windows 2000, XP and Vista, along with Windows Server 2003 and 2008. It aims to resolve a "privately reported vulnerability in the Secure Channel (SChannel) security package in Windows," according to Microsoft's March security bulletin. The flaw allows users to log onto an SSL-protected server using "only the public key component of a certificate, not the associated private key," according to a Microsoft blog.

The second important fix addresses vulnerabilities in Windows 2000, plus Windows Server 2003 and 2008. It is bound to be the most controversial fix in the March security release. Redmond said that this important fix addresses "two privately reported vulnerabilities and two publicly disclosed vulnerabilities" in Domain Name System (DNS) and Windows Internet Name Service server programs.

"These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems," Microsoft explained in its March security bulletin.

Arguments over the nature, scope and remedies for DNS flaws extend back further than last summer, when Dan Kaminsky, a researcher at security firm IOActive Inc., announced a new vulnerability in the DNS. Kaminsky argued at the time that the problem was pervasive.

Given past issues seen with DNS server security, IT pros may want "to start looking for alternatives" if Microsoft keeps issuing fixes for the same problem, explained Andrew Storms, director of security operations at nCircle.

"Microsoft's DNS server has been patched a number of times in the past -- most recently in mid-2008 when Dan Kaminsky orchestrated a multivendor same-day release to address fundamental issues in the way DNS functions," Storms said. "Prior to that, we have seen Microsoft DNS updated in 2007 to fix a well understood theoretical attack."

All fixes in March's slate will require a system restart.

This month, Microsoft is telling IT pros to take a look at its update management portal to help plan and deploy the security fixes and updates. And, as it has done every month since last April, Redmond offers the latest information on nonsecurity updates via a monthly knowledgebase article. This month's article provides details on the Windows Mail Junk E-mail filter and Microsoft's Malicious Software Removal Tool.

Microsoft plans to hold March security bulletin Webcast on Wednesday March 11 at 11:00 a.m. Pacific time, and you can sign up for the Webcast here.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.